Asset ID: |
1-71-1020965.1 |
Update Date: | 2012-04-26 |
Keywords: | |
Solution Type
Technical Instruction Sure
Solution
1020965.1
:
KMS - How to Check When KMS Firewall tcp Ports Are Open
Related Items |
- Sun StorageTek Crypto Key Management System
|
Related Categories |
- PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
- .Old GCS Categories>Sun Microsystems>Storage Software>Data Protection Software - Tape
|
PreviouslyPublishedAs
268168
Applies to:
Sun StorageTek Crypto Key Management System - Version Not Applicable and later
All Platforms
Checked for relevance on 2-Nov-2011.
Goal
ow to check KMS firewall tcp ports are open.
Fix
The following are the tcp/ip ports that KMS needs open.
22 TCP Listening SSH (only when Technical Support is enabled)
53 TCP/UDP Connecting DNS (only when KMA is configured to use DNS)
68 UDP Connecting DHCP (only when KMA is configured to use DHCP)
123 TCP/UDP Listening NTP
161 UDP Connecting SNMP (only when SNMP Managers are defined)
3331 HTTP over TCP Listening KMS CA Service (KMA-to-KMA, Agent-to-KMA, Manager-to-KMA)
3332 HTTPS (TLS) over TCP Listening KMS Certificate Service (KMA-to-KMA, Agent-to-KMA, Manager-to-KMA)
3333 HTTPS (TLS) over TCP Listening KMS Management Service (Manager-to-KMA)
3334 HTTPS (TLS) over TCP Listening KMS Agent Service (Agent-to-KMA)
3335 HTTPS (TLS) over TCP Listening KMS Discovery Service (Agent-to-KMA, Manager-to-KMA)
3336 HTTPS (TLS) over TCP Listening KMS Replication Service (KMA-to-KMA)
Steps to Follow
How to check KMA ports are open on firewall.
Open web browser.
https://172.20.151.25:3332/?wsdl
https://172.20.151.25:3333/?wsdl
https://172.20.151.25:3334/?wsdl
https://172.20.151.25:3335/?wsdl
https://172.20.151.25:3336/?wsdl
http://172.20.151.25:3331/?wsdl
The following message appears when opening up the links above:
===============================
This Connection is Untrusted
You have asked Firefox to connect
securely to 172.20.151.25:3332, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
Technical Details
172.20.151.25:3332 uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is not trusted.
The certificate is only valid for kma1
(Error code: sec_error_untrusted_issuer)
I Understand the Risks
==============================
This is the message you should get if the KMA port is responding, so firewall is not blocking the ports.
==============================
If these ports 3332-3336 are open the browser will present your output confirming that the browser has established a connection to these ports on the server and give message certificate is not valid.
Port 3331 uses http, the output for port 3331 is just some html code that is returned, see below output.
If it is unable to communicate the browser will timeout communicating or give page not found.
HTML display of good communication response from KMA
This XML file does not appear to have any style information associated with it. The document tree is shown below.
-
"http://schemas.xmlsoap.org/soap/encoding/">
SOAP-ENV:Client
HTTP GET method not implemented
Attachments
This solution has no attachment